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Rancher — multi-cluster management platform 


— Kubernetes is the new Cloud commodity 
— Multiple Kubernetes clusters is a new de facto 
— Geographically separate regions 
— Logical separation for varied functional departments 


— Separate Environments with different Security 
standards 


— Rancher deploys Kubernetes anywhere 


— Rancher can manage multiple heterogeneous 
Kubernetes clusters 
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Kubernetes Authentication Support 


Refer https://kubernetes.io/docs/reference/access-authn-authz/authentication/ 


Authentication strategies: 

— X509 Client Certificate Auth 

— Static Token File 

— Bootstrap Tokens 

— Service Account Tokens 

— OpenID Connect Tokens 

— Webhook Token Authentication 


— Authenticating Proxy 
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Users and Group 
— Service accounts managed by Kubernetes 
— Normal users should be managed externally 


— No API support for users and group 
resources 


— Username and Grouplds represented as 
“subjects” to manage RBAC 


User Impersonation 


— Ability for one user (or service account) 
to act as another. 


— The user or service account should have 
“impersonate” permissions granted 


— Important key to Rancher’s 
authentication system 








Need for a Central Authentication and 
Authorization Framework 


— Various hosted Kubernetes providers bring different authentication strategies 
— Authentication strategies on most hosted providers cannot be configured from outside 
— Replicating and managing same Users and Groups across the multiple clusters is cumbersome 


— Managing RBAC of users within and across multiple clusters from an external platform 
becomes too difficult 
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Rancher — Central Authentication Proxy 


— Unified Authentication Configuration 











— Configure once centrally and apply to multiple Request | Msi EZ ji © e 
clusters | Five Directory ht 
Rancher like | © 
— Rancher integrates with varied auth providers Authentication Proxy Ping ji “> 
— LDAP/AD/FreelPA _ Azure AD 
— GitHub Request impersonation 
— SAML (Okta, Ping, Shibboleth, Keycloak, ADFS) E 
— AzureAD k 
— Rancher admin can manage access to multiple Cluster 1 Cluster 2 








heterogeneous Kubernetes clusters from a 
single pane of glass 
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Authentication framework implementation 


— Rancher implements a central auth proxy using CRD's [custom resource 
definitions that extend K8s API] and external controllers that manage them. 


— Users are represented are first class objects implemented using CR's 


— When user authenticates with the external auth provider configured, 
Rancher gathers the following information: 


— Username [stored as User Principalld] 


— Groups user is part of [stored as []GroupPrincipals] 


— Users authenticate with Rancher and rancher redirects the user request to 
the specific Kubernetes cluster using standard bearer tokens and user 
impersonation to act as that user 


— User Management from a central point is possible 


— Manage permissions per user across clusters 
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Authentication Vs Authorization 


— Authentication controls if you are eligible to access a cluster in 
Rancher by validating credentials with an external auth provider. 


— Authorization dictates if you can access a cluster resource or 
perform an action on the cluster or not. 


— Authentication is handled by Rancher while authorization is 
performed by the Kubernetes cluster’s API server. 
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Kubernetes Authorization Support 


Refer https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 


() User 
.— (=) Group 
© ServiceAccount 
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Rancher GlobalRole for multi-cluster RBAC 


— Leverages Kubernetes RBAC by extending the API using 
CRD’s 


— To support global level access, Rancher introduces 
“GlobalRole” in addition to the Kubernetes “Role” and 
“ClusterRole” 


— Since Rancher is a multi-cluster management platform, 
there is a need to define a Global Admin user: 


— That can create/access all clusters 


— Configure Authentication 





— Manage other users and assign permissions 
to users across clusters 
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Rancher Project and ProjectRole 


— A Project is a collection of namespaces 


— Supports collaboration and sharing resources 
— RBAC rules are defined once and copied to all 
namespaces 
— Using projects Rancher can support multi-tenancy within a 
cluster and support teams for collaboration 
ProjectRole 
— To support this, Rancher introduces “ProjectRole” 
Project A 


AAA 


Bob's 
namespace 
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Ann's 
namespace 





Rancher Project 


— Rancher admins can leverage Rancher Project to also setup infrastructure level access 


— Define Pod Security Policies 
— Resource Quota management 


— Network Policies 


Project A 


Bob’s Ann’s 
namespace namespace 
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Project B 
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Mary's 
namespace namespace 





Use Cases 


Rancher’s Authentication and Authorization framework facilitates: 


— Unified Authentication for a heterogeneous cloud 

— Single global pane to configure and manage users across multiple clusters 

— Managing RBAC of users within and across multiple clusters 

— Rancher Project to support multitenancy within a cluster and infra-level access management 


— Self-service Access 
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Demo Time! 
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. Thank you for attending. >. e 


Continue the cohversation in the SUSE € Rancher Community . 
-  atcommunity.suse.com. 


Visit www.susecon.com for new technical content and information about 
upcoming SUSECON events! 
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